FBI takes gag out of Cloudflare's mouth after three-year legal battle

Upstart has been dying to talk about how it didn't rat out its customers in 2013

Cloudflare successfully fended off an FBI demand for people's private information, we can report this week now that a gagging order has been ripped away.

In February 2013, the Feds slapped a National Security Letter (NSL) on the San Francisco-based web delivery biz, requiring it to hand over some customer account records and banning the startup from discussing the notice with anyone.

Cloudflare and the Electronic Frontier Foundation promptly teamed up to fight off the demand by suing the US government. By July that year, the FBI gave in and withdrew its demand for data – so no customer info was handed over, we're told – but the gagging order remained. "Even though the request for information was no longer at issue, the NSL's gag order remained," said Kenneth Carter, Cloudflare's lawyer.

"For nearly four years, Cloudflare has pursued its legal rights to be transparent about this request despite the threat of criminal liability."

Now this week, roughly three years on from that early win, Cloudflare has revealed that the FBI has torn up the nondisclosure provisions in the letter, allowing the company to talk about the whole affair for the first time.

This anecdote from Cloudflare lawyer Carter is particularly telling of the gag order's negative impact on the firm's policy advocacy efforts.

"In early 2014, I met with a key Capitol Hill staffer who worked on issues related to counter-terrorism, homeland security, and the judiciary. I had a conversation where I explained how CloudFlare values transparency, due process of law, and expressed concerns that NSLs are unconstitutional tools of convenience rather than necessity.

"The staffer dismissed my concerns and expressed that Cloudflare's position on NSLs was a product of needless worrying, speculation, and misinformation. The staffer noted it would be impossible for an NSL to issue against Cloudflare, since the services our company provides expressly did not fall within the jurisdiction of the NSL statute. The staffer went so far as to open a copy of the US Code and read from the statutory language to make her point.

"Because of the gag order, I had to sit in silence, implicitly confirming the point in the mind of the staffer. At the time, I knew for a certainty that the FBI's interpretation of the statute diverged from hers (and presumably that of her boss)."

Cloudflare says it is also involved in a case being pursued by the EFF and Credo Mobile that challenges the FBI's authority to file the NSLs, and asks that the gag orders be ruled unconstitutional.

"The First Amendment requires that any gag order imposed by the executive branch be quickly evaluated by a court and demands that the government meet a high burden of justifying the gag," said EFF staff attorney Andrew Crocker.

Now that Cloudflare can speak out, the service provider hopes it can change the government's NSL policies to avoid another prolonged battle.

"Cloudflare fought this battle for four years even after the request for customer information had been dismissed," said Carter. "In addition to protecting our customers' information, we want to remain a vigorous participant in public policy discussions about our services and public law enforcement efforts."

Transparency report

Cloudflare has also published its transparency report for H2 2016, explaining that it answered six of nine subpoenas received during that period, affecting a whopping 2,586 domains and 17 accounts. It said only that it received between 0 and 249 national security orders, which affected 0 to 249 accounts.

A single search warrant and Pen register/Trap and trace (PRTT) order was received in the reporting period, as well as 60 court orders – which, unlike the national security orders, do have to be signed off by a judge.

Cloudflare wrote: "While there has been an increase in the number of law enforcement requests since our first transparency report in 2013, this is due in part to the five-fold increase in the number of Cloudflare customer domains in that time period. We will continue to publish this report on a semiannual basis. Please be advised that we may restate data as we go forward as more complete information becomes available or if we change our classifications." ®